Posts

The WordPress 4.0.1 security update has been released today, which addresses 8 security flaws including cross-site scripting (XSS) and denial of service exploits. In addition, 23 bugs in the 4.0 release have been fixed.

It is highly recommended that anyone running WordPress have their installations updated as soon as possible.

WordPress and Drupal have been patched for, amongst other things, a vulnerability that allows an attacker to take down a WordPress or Drupal site.

The PHP XML parser used by both projects has a XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

One of our employees at Basefarm, Senghan Bright, is the System Manager for WordPress here at Basefarm. Here is some information from him:

Due to a setting that is enabled by default on WordPress, there’s an exploit that can be used to send a request to a target domain using the WordPress site as a proxy. With enough WordPress installations at your disposal, scripted requests from them collectively is enough to perform a denial of service.

I’ve tested some proof-of-concept code on a few test WordPress installations, and observed the API successfully send requests out to a target site, with the source appearing to be thetest WordPress installation with its IP. There are various methods to disable the exploit. Being that the API has a lot of perfectly valid functionality that customers may use on their sites, the least destructive method is to install the following WordPress plugin:

This disables the specific exploitable function, whilst leaving the rest of the API working as normal.

https://blog.basefarm.com/wp-content/uploads/2018/03/basefarm-logo-blue-1.png00Fredrik Svanteshttps://blog.basefarm.com/wp-content/uploads/2018/03/basefarm-logo-blue-1.pngFredrik Svantes2014-03-13 09:08:162014-03-21 12:28:18Your Wordpress installation can be used in Denial of Service attacks

From the announcement post, this maintenance release addresses 13 bugs with version 3.6.

Additionally: Version 3.6.1 fixes three security issues:

Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem. CVE-2013-4338. Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention. CVE-2013-4339. Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE-2013-4340.

A vulnerability for the very popular cache plugin “W3 Total Cache” has been made public. It’s advised that those who are using WordPress to check if they have this plugin – and if they have the latest version or not. It turns out that this also affects WP Super Cache. Both of these account for about 6.5 million downloads, and about 90% of all installations running cache on their wordpress installations use either of these. The issue comes with blogs that have comments enabled and aren’t using a third party system like Disqus.

To test if you’re affected you can add a comment like this:<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

This should, if you don’t have the latest version of WP Super Cache or W3 Total Cache, show the version of your PHP which means the installation can be exploited.

The W3 Total Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability. An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server. W3 Total Cache 0.9.2.8 is vulnerable. Other versions may also be affected.

WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.

Until yesterday, the aforementioned vulnerability, discovered by security researchers Gennady Kovshenin and Ryan Dewhurst, affected all versions of the platform. This particular problem could be exploited with a server-side request forgery (SSRF) attack and remote port scanning using pingbacks. Essentially, if left unpatched, an attacker could have forced a server into sending packets of information from the attacker to another server, even if it was behind a firewall.

The update also fixes the following XSS errors: Two instances of cross-site scripting via shortcodes and post content. A XSS vulnerability in the external library Plupload.

Due to the nature of this release, it’s advised that anyone running WordPress have their WordPress installations updated.